Last Call Review of draft-wkumari-dhc-capport-16
review-wkumari-dhc-capport-16-genart-lc-black-2015-09-03-00

Request Review of draft-wkumari-dhc-capport
Requested rev. no specific revision (document currently at 16)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2015-09-15
Requested 2015-09-03
Authors Warren Kumari, Ólafur Guðmundsson, P Ebersman, Steve Sheng
Draft last updated 2015-09-03
Completed reviews Genart Last Call review of -13 by David Black (diff)
Genart Telechat review of -15 by David Black (diff)
Genart Last Call review of -16 by David Black
Secdir Last Call review of -12 by Hannes Tschofenig (diff)
Opsdir Last Call review of -12 by David Black (diff)
Opsdir Telechat review of -14 by David Black (diff)
Assignment Reviewer David Black 
State Completed
Review review-wkumari-dhc-capport-16-genart-lc-black-2015-09-03
Reviewed rev. 16
Review result Ready
Review completed: 2015-09-03

Review
review-wkumari-dhc-capport-16-genart-lc-black-2015-09-03

The -16 version looks good, Thanks, --David

> -----Original Message-----
> From: Warren Kumari [

mailto:warren

 at kumari.net]
> Sent: Monday, August 31, 2015 12:07 PM
> To: Black, David
> Cc: olafur at cloudflare.com; ebersman-ietf at dragon.net; steve.sheng at icann.org;
> General Area Review Team (gen-art at ietf.org); ops-dir at ietf.org; ietf at ietf.org;
> dhcwg at ietf.org
> Subject: Re: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-15
> 
> On Fri, Aug 28, 2015 at 6:05 PM, Black, David <david.black at emc.com> wrote:
> > The Gen-ART and OPS-Dir review of the -13 version of this draft does not
> > appear to have been directly addressed in the -15 version.
> >
> > Of the 5 minor issues, other changes have addressed issue [4] and the
> > first part of issue [5] (first chunk of quoted text).  In addition, it's
> > ok to treat issue [1] as editorial.
> >
> > That leaves minor issues [2], [3] and the second part of [5] (second chunk
> > of quoted text) as topics that still merit attention, and I would like the
> > authors to consider adding the suggested additional security consideration.
> >
> 
> Apologies, David, no sure how we missed those. I think I got
> sidetracked while trying to address the first part of [5] and never
> came back to [2], [3].
> 
> [2]: I added (new text in '***' :
> The captive portal operator should ensure that the URIs handed out are
> equivalent to reduce the chance of operational problems. ***The
> maximum length of the URI that can be carried in IPv4 DHCP is 255
> byte, and so URIs longer than 255 bytes should not be used in IPv6
> DHCP or IPv6 RA.***
> 
> I'm not in love with this text, but not sure how to make it better.
> Implementers don't *have* to use the same URI in all protocols, and so
> I guess they could decide to use longer than 255 octets in DHCPv6 if
> they were sufficiently pathological.
> 
> [3]: Done. Thanks for providing text.
> 
> 
> [5]:
> 
> "Redirection to a portal where TLS can be used without hijacking can
> ameliorate some of the implications of connecting to a potentially
> malicious captive portal."
> This was a cut and paste from an email.
> I'm rewording it to:
> "By handing out a URI using which is protected with TLS, the captive
> portal operator can attempt to reassure the user that the captive
> portal is not malicious."
> 
> 
> The original text was provided by Joel -- I'm assuming that the
> rewording capture what he was attempting to say. David, does this
> address your comment? And Joel, does it (still) convey what you were
> saying?
> 
> 
> 
> 
> Additional:
> 
> Thank you for the text - I added (to security considerations):
> Captive portals are increasingly hijacking TLS connections to force
>  browsers to talk to the portal.  Providing the portal's URI via a DHCP
>  or RA option is a cleaner technique, and reduces user expectations of
>  being hijacked - this may improve security by making users more reluctant
>  to accept TLS hijacking, which can be performed from beyond the network
>  associated with the captive portal.
> 
> Nits:
> s/describe/describes/ - done (in earlier rev).
> 
> Mentioned that the URI is not null terminated.
> 
> 
> 
> > Thanks,
> > --David
> >
> >> -----Original Message-----
> >> From: Black, David
> >> Sent: Sunday, July 05, 2015 10:37 AM
> >> To: Warren Kumari; olafur at cloudflare.com; ebersman-ietf at dragon.net;
> >> steve.sheng at icann.org; General Area Review Team (gen-art at ietf.org); ops-
> >> dir at ietf.org
> >> Cc: ietf at ietf.org; dhcwg at ietf.org; Black, David
> >> Subject: Gen-ART and OPS-Dir review of draft-wkumari-dhc-capport-13
> >>
> >> This is a combined Gen-ART and OPS-Dir review.  Boilerplate for both
> follows
> >> ...
> >>
> >> I am the assigned Gen-ART reviewer for this draft. For background on
> >> Gen-ART, please see the FAQ at:
> >>
> >> <

http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> >>
> >> Please resolve these comments along with any other Last Call comments
> >> you may receive.
> >>
> >> I have reviewed this document as part of the Operational directorate's
> ongoing
> >> effort to review all IETF documents being processed by the IESG.  These
> >> comments
> >> were written primarily for the benefit of the operational area directors.
> >> Document editors and WG chairs should treat these comments just like any
> other
> >> last call comments.
> >>
> >> Document: draft-wkumari-dhc-capport-13
> >> Reviewer: David Black
> >> Review Date: July 5, 2015
> >> IETF LC End Date: July 7, 2015
> >>
> >> Summary:  This draft is on the right track, but has open issues
> >>               described in the review.
> >>
> >> This draft specifies DHCP (v4 and v6) and IPv6 RA options to provide the
> >> contact URI of a captive portal (e.g., for a WiFi hotspot).  It's a
> >> short draft that gets the job done - I found a few minor issues, and
> >> have an additional security consideration to suggest.
> >>
> >> Major issues: None
> >>
> >> Minor issues:
> >>
> >> [1] Section 2:
> >>
> >>    captive portals will still need to implement the
> >>    interception techniques to serve legacy clients, and clients will
> >>    need to perform probing to detect captive portals.
> >>
> >> Please explain what "the interception techniques" and "probing" are.
> >> I think this material was in -12 and removed for -13 - it does not need
> >> to be restored in its entirety, but those two terms deserve some
> >> explanation.  This should also explain "DNS interception" in the last
> >> paragraph in the section.
> >>
> >> [2] Section 2.1 - DHCPv4 has the shortest URI length limit, 255 bytes.
> >> That should be noted either here or in Section 2 in discussion of serving
> >> multiple classes of clients.  This should not be a problem in practice.
> >>
> >> [3] Sections 2.1, 2.2, 3: The term "URI of the authentication page" should
> >> be changed to something like "contact URI for the captive portal" because
> >> authentication is not always required by a captive portal.
> >>
> >> [4] Section 4: The IANA Considerations section is incomplete - see IANA's
> >> review.
> >>
> >> [5] Section 5:
> >>
> >>    Fake
> >>    DHCP servers / fake RAs are currently a security concern - this
> >>    doesn't make them any better or worse.
> >>
> >> Please cite a reference for this, preferably with operational
> recommendations
> >> on limiting these problems (e.g., ensure that DHCP and RA traffic cannot be
> >> injected from outside/beyond the network that is relevant to the portal).
> >>
> >>    Redirection to a portal where TLS can be used
> >>    without hijacking can ameliorate some of the implications of
> >>    connecting to a potentially malicious captive portal.
> >>
> >> Please explain who or what does the redirection and what is redirected
> >> (browser, VPN client?).  Is this a suggestion to use http:// URLs? (if
> >> so, that should be said explicitly).
> >>
> >> Nits/editorial comments:
> >>
> >> p.3, first sentence:
> >>
> >>    This document describe a DHCP ([RFC2131]) option (Captive Portal) and
> >>
> >> s/describe/describes
> >>
> >> I would add a sentence to section 2 to say that URI strings are not
> >> null-terminated.
> >>
> >> Section 3 - this should be renumbered to 2.3, as the overview text in
> >> Section 2 applies to the RA option.
> >>
> >> Possible additional security consideration:
> >>
> >> Captive portals are increasingly hijacking TLS connections to force
> >> browsers to talk to the portal.  Providing the portal's URI via a DHCP
> >> or RA option is a cleaner technique, and reduces user expectations of
> >> being hijacked - this may improve security by making users more reluctant
> >> to accept TLS hijacking, which can be performed from beyond the network
> >> associated with the captive portal.
> >>
> >> --- Selected RFC 5706 Appendix A Q&A for OPS-Dir review ---
> >>
> >> Most of these questions reduce to the corresponding questions for DHCP
> >> or IPv6 RAs.  Once the portal is contacted, there are significant
> >> operational considerations that are well outside the scope of this
> >> draft.
> >>
> >> A.1.3  Has the migration path been discussed?
> >>
> >>       Yes, briefly.  Minor issue [1] requests more information on
> >>       existing techniques, with which coexistence is anticipated.
> >>
> >> A.3.  Documentation
> >>
> >>       An operational considerations or manageability section isn't
> >>       called for.  I do not expect the options in this draft to
> >>       have significant operational impact.
> >>
> >> Thanks,
> >> --David
> >> ----------------------------------------------------
> >> David L. Black, Distinguished Engineer
> >> EMC Corporation, 176 South St., Hopkinton, MA  01748
> >> +1 (508) 293-7953             FAX: +1 (508) 293-7786
> >> david.black at emc.com        Mobile: +1 (978) 394-7754
> >> ----------------------------------------------------
> >
> 
> 
> 
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen those particular rabid weasels and that pair
> of pants.
>    ---maf